WPAD Configuration - weird behaviour

Question

Hello Community, 
 we have a Sophos UTM SG330 Appliance running on version: 9.508 
 In the section: "Web Protection-> Filtering Options -> Misc" we use the following proxy auto configuration: 
 ======================================================================= 
 function FindProxyForURL(url, host) { var resolved_ip = dnsResolve(host); //Don't proxy connections to the UTM web interface if (shExpMatch(url, "proxy.xxx.local:4444/*")) return "DIRECT"; //Exclude non-fqdn hosts from being proxied if (isPlainHostName(host)) return "DIRECT"; //Don't proxy Connections to Legacy NGA Net if ((shExpMatch(url, "^http://194.150.1.*")) || (shExpMatch(url,"^https://194.150.1.*"))) return "DIRECT"; if ((shExpMatch(url, "^http://194.150.0.*")) || (shExpMatch(url,"^https://194.150.0.*"))) return "DIRECT"; if (shExpMatch(url, "mobile.xxx.net")) return "PROXY 10.46.0.34:8080"; 
 //Don't proxy connections to the exempted URL matches if (shExpMatch(url, "xxx.net")) return "DIRECT"; if (shExpMatch(host, "citrix.xxx.net")) return "DIRECT"; if (shExpMatch(host, "owa.xxx.net")) return "DIRECT"; if (shExpMatch(host, "autodiscover.xxx.net")) return "DIRECT"; if (shExpMatch(host, "autodiscover.xxx.ch")) return "DIRECT"; if (shExpMatch(host, "viewer.xxx.net")) return "DIRECT"; if (shExpMatch(host, "transfer.xxx.net")) return "DIRECT"; if (shExpMatch(host, "hotspot.xxx.net")) return "DIRECT"; if (shExpMatch(host, "remote.xxx.net")) return "DIRECT"; if (shExpMatch(host, "meeting.xxx.net")) return "DIRECT"; if (shExpMatch(host, "outlook.xxx.local")) return "DIRECT"; if (shExpMatch(host, "*.xxx.local/*")) return "DIRECT"; if (shExpMatch(host, "xxx.local")) return "DIRECT"; //Don't proxy connections to private IP addresses if (isPlainHostName(host) || shExpMatch(host, "*.local") || isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") || isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") || isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") || isInNet(resolved_ip, "127.0.0.0", "255.255.255.0") || isInNet(resolved_ip, "xxx.xx.xxx.xxx", "255.255.255.255")) return "DIRECT"; return "PROXY 10.46.0.34:8080"; } 
 ======================================================================= 
 
 Now we have sometimes a weired behaviour on the client pcs while accessing some websites. 
 For example: 
 1. Proxy- Configuration in Internet Explorer: Just ticked the checkbox: Automatic detect proxy settings 
 
 Then if we navigate to: https://www.icloud.com it isn't possible to access the website. 
 Thats why we have an exception defined in: "Web Protection -> Filtering Options": 
 
 But the access is still not possible. 
 
 Now if we change the proxy settings in Internet Explorer to this: 
 
 All is working good. 
 
 Can one explain this? 
 
 Thanks so far!

Alexander Busch · Answer

Yes, iCloud is one of the applications which needs an other exception because of certificate pinning. 
 Please have a look at 
 I use these 
 ^https?://[A-Za-z0-9.-]*icloud.com/ 
 ^https?://[A-Za-z0-9.-]*windows.net/ 
 Best 
 Alex